Packages
sobelow
0.10.1
0.14.1
0.14.0
0.13.0
0.12.2
0.12.1
0.12.0
0.11.1
0.11.0
0.10.6
0.10.5
0.10.4
0.10.3
0.10.2
0.10.1
0.10.0
0.9.3
0.9.2
0.9.1
0.9.0
0.8.0
0.7.8
0.7.7
0.7.6
0.7.5
0.7.4
0.7.3
0.7.2
0.7.1
0.7.0
0.6.9
0.6.8
0.6.7
0.6.6
0.6.5
0.6.4
0.6.3
0.6.2
0.6.1
0.6.0
0.5.4
0.5.3
0.5.2
0.5.1
0.5.0
0.4.9
0.4.8
0.4.7
0.4.6
0.4.5
0.4.4
0.4.3
0.4.2
0.4.1
0.4.0
0.3.12
0.3.11
0.3.10
0.3.9
0.3.8
0.3.7
0.3.6
0.3.5
0.3.4
0.3.3
0.3.2
0.3.1
0.3.0
0.2.8
0.2.7
0.2.6
0.2.5
0.2.4
0.2.3
Security-focused static analysis for Elixir & the Phoenix framework
Current section
Files
Jump to
Current section
Files
lib/sobelow/misc/file_path.ex
defmodule Sobelow.Misc.FilePath do
@moduledoc ~S"""
# Insecure use of `File` and `Path`
Note: This check has been deprecated. File/Path issues were
addressed with the release of OTP 21.
In Elixir, `File` methods are null-terminated, while `Path`
functions are not. This may cause security issues in certain
situations. For example:
```
user_input = "/var/www/secret.txt\0/name"
path = Path.dirname(user_input)
public_file = path <> "/public.txt"
File.read(public_file)
```
Because `Path` functions are not null-terminated, this
will attempt to read the file, "/var/www/secret.txt\\0/public.txt".
However, due to the null-byte termination of `File` functions
"secret.txt" will ultimately be read.
`File/Path` checks can be ignored with the following command:
$ mix sobelow -i Misc.FilePath
"""
end